New features

PowerShell downgrade attack detectedIn earlier versions of PowerShell, the logging facilities were inferior to the recent versions. Therefore, a common attack strategy is to use an old version of PowerShell in order to prevent logging of malicious activity. This rule informs you about such threats. For details, see Monitoring for PowerShell Downgrades. The rule is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | PowerShell rule folder.

Exploitable logon by high-privileged accountThis rule captures situations where a powerful account logs on to a workstation in ways that are vulnerable to pass-the-hash attacks, which are based on retrieval of credentials from memory or cache. The rule is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | Gaining Administrative Rights rule folder.

Suspicious process was started (Security log on Windows 10 / Windows Server 2016 and later)The rule detects launches of suspicious processes, meaning processes that are started from unusual locations or generate events containing telltale keywords. As the name suggests, the rule relies on the Security log. The rule is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | Backdoors rule folder.For details, see Setting Up Monitoring for Suspicious Processes.

Support for VMware ESXi 6.0–6.7 auditingThe range of VMware systems that InTrust can audit has been extended to include ESXi 6.0, 6.5 and 6.7.

Logging of real-time monitoring rule matches and alertsEvent Log Recipient is a new type of notification recipient (formerly, operator) that makes it possible to use Windows event log as the notification destination. If this recipient is specified for a real-time monitoring rule, then InTrust generates an event about how the rule was matched and includes alert data. At this time, these events are written only to the InTrust log. You can use it to integrate InTrust alerts into your SIEM security log analytics workflow. Alerts provide the focus that you don't get by streaming everything into your SIEM.For more details, see Example: Mirroring InTrust Real-Time Alerts in SIEM. For convenient batch configuration of rules, see Quest Support Knowledge Base article 312739.

New features in InTrust 11.4.1:

Event forwarding in Syslog RFC 5424 formatThe Syslog message format defined by RFC 5424 is widely supported by SIEM providers. Now that InTrust can forward events in this format, you can easily integrate your InTrust-collected data with a variety of SIEM solutions, without the need for custom scripts implementing proprietary formats.

Event forwarding takes advantage of TLSEvent forwarding over TCP can now be secured with TLS in environments where this type of security is used. TLS-Secured TCP is a new transport option in the forwarding settings for InTrust repositories.

Support for multiple filters for event forwardingUnlike previous releases where you used one event forwarding filter per repository, you can now specify multiple filters. InTrust will forward events that match any of the filters you select. Each filter you add broadens the scope instead of narrowing it.

Support for deployment on Windows Server 2019 and SQL Server 2017InTrust components can be installed on computers running Windows Server 2019. InTrust configuration, audit and alert databases can be hosted on Microsoft SQL Server 2017.

Best practice filters for event forwardingInTrust provides a set of event forwarding filters that incorporate security analysis best practices. These filters incorporate recommendations from such sources as NSA and MITRE and categorized so that you can easily combine them as necessary. The filters are customarily implemented as searches and are available in the Threat Hunting | Windows | Native OS Logs Telemetry search folder.

InTrust SDK improvementsThe InTrust SDK now provides bindings for working with sites and event forwarding configuration.

IMPORTANT: This release does not contain any changes to the Knowledge Packs for Solaris and IBM AIX, therefore these components were not rebuilt for InTrust 11.4.1 and are not included. If you need InTrust configuration objects related to these platforms and InTrust agents for them, use previous versions of these components. Do one of the following:

If you are upgrading to InTrust 11.4.1, just perform the upgrade. Your agents and configuration objects will keep working.

If you are doing a fresh deployment of InTrust 11.4.1, install version 11.4 of the Knowledge Packs in addition. To download the packages, go to https://support.quest.com/intrust/11.4.

Enhancements

The "File creation detected" and "File renaming detected" rules have been updated to spot a wider range of ransomware. For details about the types of ransomware that the rules watch out for, see the rules' properties.

IN-9071

Event forwarding optimizations for tailor-made forwarding scenarios

The following organization parameters have been added to give you better control of the event forwarding system:

In InTrust Deployment Manager collections, the Suppress errors from non-existent data sources option has been replaced by the If any of the selected data sources cannot be found, consider this an error option, which is cleared by default. This revision is intended to prevent collection activities being flagged as failed where they are actually successful.

IN-9425

Export of agent health data to CSV from InTrust Deployment Manager

You can now export information about InTrust Deployment Manager collections to CSV files. For details, see Analyzing Collections.

IN-9312

Table 2: Enhancements in InTrust11.4.1

Enhancement

Issue ID

InTrust Server log events have been made clearer and easier to analyze in Repository Viewer:

All InTrust Server log events now have named fields such as Repository, Server and Data Source Type. Previously, these fields were absent from some relevant events.

Several InTrust Server log-based predefined searches have been added to Repository Viewer.

IN-2561

Security log events about Active Directory changes are now broken into named fields in a more meaningful way that makes it easier to analyze security incidents. Thanks to new named fields in its event definitions, InTrust captures the names of all affected Active Directory attributes from such events.

IN-5248

The performance of repository searches has been significantly improved. Generally, searches are now at least 30% faster. In the best cases, they are up to 8 times faster.

Resolved issues

The following is a list of issues addressed in InTrust11.4.1 Update 1.

Table 3: Resolved issues in InTrust11.4.1 Update 1

Resolved Issue

Issue ID

In events from Windows 10 and Windows Server 2016 and later, the computer type can be mistakenly recognized as Server instead of Workstation for a short time after system restart.

Solution details: This issue has been fixed, but in some situations you get duplicate gathered events where one set has the Server type and the other has the Workstation type, and all other fields are identical.

IN-9108

Changing the repository path in the properties of an indexed repository causes an error and fails.

IN-3137

The forwarding statistics in the properties of a repository in InTrust Deployment Manager are shown in an unclear notation when a large number of events have been processed.

IN-8694

Repository Viewer crashes when you try to open the field chooser in the search editor. This happens if the InTrust services have been restarted after the repository was opened in Repository Viewer.

IN-9376

Field name "New SD" is used instead of the correct name "New_SD" when events are put into storage. This causes incorrect search results.

IN-9116

If you enable a real-time monitoring policy but your InTrust license has expired, there is no error message indicating that real-time monitoring won't work.

IN-8491

When Repository Viewer is connected to a repository under an account that has read-only access to that repository, searches can fail with a "Cannot lock repository" error, even though read access should be sufficient for searching.

IN-10199

Gathering from VMware ESX/ESXi and vCenter doesn't work if TLS 1.2 is enforced for connections to the VMware servers.

IN-10017

If you try to create a repository and specify its path in local format, then during indexing and repository merging you get an unclear error message that doesn't tell you to use a UNC path instead.

IN-10181

Repository Viewer crashes if you add repositories to a previously opened repository group.

IN-9113,IN-8900

Repository Viewer crashes if it encounters an event field name with a trailing underscore.

IN-8877,IN-8644

The field chooser dialog box can be displayed so that its caption is out of screen bounds.

IN-9161

In some situations, multiple repository cleanup schedules can be created for the same repository. This sometimes happens if there are more than one instance of InTrust Deployment Manager making changes to the repository configuration at once.

IN-7908

If event forwarding filters are configured to let only a few events through, then the statistics line says 0% is forwarded, as if forwarding doesn't work at all.

IN-8285

The InTrustServiceLookup.dll file, which InTrust components use for communication among each other, can be erroneously regarded as adware by some antivirus software. The antivirus may quarantine the file as a result. If this happens to you, change the adware quarantine behavior for your antivirus so that InTrustServiceLookup.dll is not moved, or add this file as a permanent exception.

IN-8368

Table 4: Resolved issue in InTrust11.4.1

Resolved Issue

Issue ID

The forwarding statistics in the properties of a repository in InTrust Deployment Manager are shown in an unclear notation when a large number of events have been processed.